11/**
2- * @name Express-Hbs Local File Read and Potential RCE
3- * @description Writing user input directly to res.render of ExpressJS used with Hbs can lead to LFR
2+ * @name Template Object Injection
3+ * @description Instantiating a template using a user-controlled object is vulnerable to local file read and potential remote code execution.
44 * @kind path-problem
55 * @problem.severity error
66 * @precision high
7- * @id js/express-hbs-lfr
7+ * @id js/template-object-injection
88 * @tags security
99 * external/cwe/cwe-073
1010 * external/cwe/cwe-094
1313import javascript
1414import DataFlow
1515import PathGraph
16- import Express
17- import semmle.javascript.DynamicPropertyAccess
1816
1917predicate isUsingHbsEngine ( ) {
20- exists ( MethodCallExpr method |
21- method .getMethodName ( ) = "set" and
22- Express:: appCreation ( ) .flowsToExpr ( method .getReceiver ( ) ) and
23- method .getArgument ( 1 ) .getStringValue ( ) .matches ( "hbs" )
24- )
18+ Express:: appCreation ( ) .getAMethodCall ( "set" ) .getArgument ( 1 ) .mayHaveStringValue ( "hbs" )
2519}
2620
2721class HbsLFRTaint extends TaintTracking:: Configuration {
@@ -39,6 +33,7 @@ class HbsLFRTaint extends TaintTracking::Configuration {
3933 }
4034}
4135
42- from HbsLFRTaint cfg , Node source , Node sink
43- where cfg .hasFlow ( source , sink )
44- select source , sink
36+ from HbsLFRTaint cfg , PathNode source , PathNode sink
37+ where cfg .hasFlowPath ( source , sink )
38+ select sink .getNode ( ) , source , sink , "Template object injection due to $@." , source .getNode ( ) ,
39+ "user-provided value"
0 commit comments